Keys and Passwords. Steven M. Bellovin October 17,
|
|
- Dwight Simpson
- 5 years ago
- Views:
Transcription
1 Keys and Passwords Steven M. Bellovin October 17,
2 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven M. Bellovin October 17,
3 Public/Private Keys Who generates the private key for a certificate? The server may have better random number generators Only the client needs the key (Does the corporation need a copy of the key?) If the server generates the key, how does it get to the client securely? (How does the public key get to the CA securely?) Steven M. Bellovin October 17,
4 Secret Keys Who generates secret keys? The problem is harder both parties need to know them Again, how are they communicated securely? Steven M. Bellovin October 17,
5 Communication Options Channel authenticated by other means Public-key protected channel Hard-wired contact Out-of-band communications Note: process matters! Steven M. Bellovin October 17,
6 Out-of-Band Communications Telephone SMS text message Postal mail Steven M. Bellovin October 17,
7 What are the Enemy s Powers? Steal letters from a mailbox? Fake CallerID with an Asterisk PBX? Planting malware on the phone? Burglary, bribery, blackmail? Steven M. Bellovin October 17,
8 Tamper Resistance Keys are safer in tamper-resistant containers they can t be stolen See the three Bs above Note well: tamper-resistant, not tamper-proof The availability of tamper-resistant hardware changes the tradeoffs Steven M. Bellovin October 17,
9 Online vs. Offline Does the key generator need to be online? A CA can be offline, and accept public keys via, say, CD That may be riskier than having it generate the private key what if there s a buffer overflow in the read routine? (But the CA has to read other things, like username) For secret keys, the server can t be offline; rather, some copy of the key has to be online, to use it Steven M. Bellovin October 17,
10 No Perfect Answers! There are always tradeoffs The right answer in one situation may be the wrong answer in another Must evaluate the risks and the benefits of each alternative Caution: assume that the enemy s powers will grow Steven M. Bellovin October 17,
11 Putting it All Together Let s look at some relatively simple privileged programs How do they combine the different mechanisms we ve seen? What are the threats? The defenses? Steven M. Bellovin October 17,
12 The Passwd Command Permits users to change their own passwords In other words, controls system access Very security-sensitive! How does it work? Steven M. Bellovin October 17,
13 Necessary Files /etc/passwd must be world-readable, for historical reasons Maps numeric UID to/from username Historical format: root:8.kxuj8mghcwq:0:0:root:/root:/bin/sh Fields: username, hashed password, numeric uid, numeric gid, name, home directory, shell Numeric uid/gid is what is stored for files Password is two bytes of salt, 11 bytes of encryption output Encoded in base 64 format: A-Za-z0-9./ Steven M. Bellovin October 17,
14 Password Refresher Stored in irreversibly hashed form Classic scheme used encryption algorithm in odd way Use salt to prevent the same password from hashing to the same value on different machines, or for different users Salt makes dictionary of precomputed hashed passwords much more expensive Steven M. Bellovin October 17,
15 Storing the Hashed Password Better not make it world-readable Store in a shadow password file That file can be read-protected Steven M. Bellovin October 17,
16 File Permissions $ ls -l /etc/passwd /etc/shadow -rw-r--r-- 1 root root 671 Oct 3 10:42 /etc/passwd -r root root 312 Oct 3 10:42 /etc/shadow Steven M. Bellovin October 17,
17 Must Be Owned by Root! Ownership of that file is equivalent to root permissions Anyone who can rewrite it can give themselves root permissions Cannot use lesser permissions Note: adding a line to that file (often with a text editor) is the first step in adding a user login to the system Steven M. Bellovin October 17,
18 Implications of the Numeric UID/GUID Assigning a UID to a username grants access to that UID s files In other words, anyone with write permission on /etc/passwd has access to all files on the systm Consequence: even if we changed the kernel so that root didn t have direct access to all files, this mechanism provides indirect access to all files Conclusion: Cannot give root control over UID assignment on secure systems Steven M. Bellovin October 17,
19 What Else Shouldn t Root Be Able to Change? The user s password! Attack: change the user s password to something you know Windows XP does not give Administrator either of these powers Steven M. Bellovin October 17,
20 The Passwd Command Clearly, must be setuid to root Must be carefully written... Steven M. Bellovin October 17,
21 Authenticating the User Passwd program has real UID Demand old password why? Guard against someone doing permanent damage with minimal access Root can change other user s passwords Steven M. Bellovin October 17,
22 Where Does the Salt Come From? Passwd command generates random number Need this be true-random? No probably different will suffice. Seed ordinary pseudo-random number generator with time and PID Steven M. Bellovin October 17,
23 Restricting Access Suppose only a few people were allowed to change their own passwords Take away other-execute permission; put those people in the same group as passwd Steven M. Bellovin October 17,
24 Front Ends What about the help desk, for forgotten passwords? Have a setuid root front end that invokes passwd Validate: make sure they can only change certain users passwords Log it! (Much more later in the semester on logging) Steven M. Bellovin October 17,
25 Making a Temporary Copy Must copy password file to temporary location and back to change a password Watch out for race condition attacks! Actual solution: put temporary file in /etc instead of /tmp; avoid whole problem Secondary benefit: use temporary file as lock file, and as recovery location in case of crash Steven M. Bellovin October 17,
26 Update in Place Password changes could overwrite the file in place Doesn t work for use add/delete or name change Still need locking Steven M. Bellovin October 17,
27 Passwords on the Command Line? Bad idea ps shows it Bad idea may be in shell history file $ history date 13 man setuid 14 ls -l tty Your terminal isn t readable by others: $ ls -l tty crw--w smb tty 136, 5 Oct 26 14:24 /dev/pts/5 Steven M. Bellovin October 17,
28 Changing Your Name Chsh is like passwd, but it lets you change other fields Ordinary users can change shell and human-readable name; root can change other fields Much more dangerous than passwd Steven M. Bellovin October 17,
29 Input Filtering What if user supplies new shell or name with embedded colons? Embedded newlines? Both? Could create fake entries! Must filter for such things Steven M. Bellovin October 17,
30 Features Used Access control Locking/race prevention Authentication Privilege (setuid) Filtering Steven M. Bellovin October 17,
31 Security Analysis: Internet Thermostats I recently decided to investigate Internet thermostats Control and monitor my house temperature remotely Are there security risks? Steven M. Bellovin October 17,
32 One Popular Brand Thermostats have built-in web servers Simplest mode: direct connection to thermostat Alternate mode: thermostat and user connect to company s web site; company can generate alert s Steven M. Bellovin October 17,
33 What s at Risk? Turning off someone s heat in the middle of winter? Turning on the heat in the summer? Run heat and air conditioning simultaneously? Steven M. Bellovin October 17,
34 Local Management Steven M. Bellovin October 17,
35 Local Problems No https people can eavesdrop Uses Basic Authentication : The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user s password over the physical network.... Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used (without enhancements) to protect sensitive or valuable information. No read-only mode Steven M. Bellovin October 17,
36 Remote Management Steven M. Bellovin October 17,
37 Remote Problems Https but only to the server Unencrytped traffic from the server to the thermostats (The words security and encyption are not mentioned in the API manual... ) Passwords are sent in the clear across the Internet Passwords are stored in bulk on the server Steven M. Bellovin October 17,
38 Privacy Issues Energy consumption patterns Al Gore s thermostat setting? Japanese office thermostat settings? Vacation schedules (burglary risk?) Steven M. Bellovin October 17,
39 Defenses Can t touch thermostat software Add layering access controls on top of built-in controls Use crypto tunnels Filter setting change requests Steven M. Bellovin October 17,
40 Last-Ditch Defenses Add a low-limit heat switch in parallel Add a high-limit heat switch in series These are hardware devices, not software Protect against bugs What if they fail? Independent failure modes; protect against each other Steven M. Bellovin October 17,
41 How to Analyze This? Hard to know all the threats Approach: see what is made available, and ask who might want it Reason by analogy and effect Check the gold standard (Au): Authentication, Authorization, Audit Steven M. Bellovin October 17,
The Internet of Things. Steven M. Bellovin November 24,
The Internet of Things Steven M. Bellovin November 24, 2014 1 What is the Internet of Things? Non-computing devices...... with CPUs... and connectivity (Without connectivity, it s a simple embedded system)
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationArchitecture. Steven M. Bellovin October 27,
Architecture Steven M. Bellovin October 27, 2015 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache has 49%; IIS has 36% (source: http://news.netcraft.com/archives/2008/09/30/
More informationCase Studies in Access Control
Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market (Apache has 70%; IIS has 20%) Both major servers have lots
More informationTest Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,
Test Conditions Closed book, closed notes, no calculator, no laptop just brains 75 minutes Steven M. Bellovin October 19, 2005 1 Form 8 questions I m not asking you to write programs or even pseudo-code
More informationProgram Structure. Steven M. Bellovin April 3,
Program Structure We ve seen that program bugs are a major contributor to security problems We can t build bug-free software Can we build bug-resistant software? Let s look at a few examples, good and
More informationProgram Structure I. Steven M. Bellovin November 14,
Program Structure I Steven M. Bellovin November 14, 2010 1 Program Structure We ve seen that program bugs are a major contributor to security problems We can t build bug-free software Can we build bug-resistant
More informationAuthentication. Steven M. Bellovin January 31,
Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to do Identification is whom you claim to be be Authentication
More informationAuthentication. Steven M. Bellovin September 26,
Authentication Steven M. Bellovin September 26, 2009 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to
More informationProgram Structure I. Steven M. Bellovin November 8,
Program Structure I Steven M. Bellovin November 8, 2016 1 Program Structure We ve seen that program bugs are a major contributor to security problems We can t build bug-free software Can we build bug-resistant
More informationDesigning a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,
Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10, 2007 1 Some of Our Tools Encryption Authentication mechanisms Access
More informationI m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,
I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20, 2007 1 Special Techniques for Secure Programs Buffer overflows are bad in any case Some problems are only a risk for secure programs
More informationI m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,
I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2, 2008 1 Special Techniques for Secure Programs Buffer overflows are bad in any case Some problems are only a risk for secure programs
More informationSecure Programming II. Steven M. Bellovin September 29,
Secure Programming II Steven M. Bellovin September 29, 2014 1 I m paranoid, but am I paranoid enough? Steven M. Bellovin September 29, 2014 2 Special Techniques for Secure Programs Buffer overflows are
More informationCOS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy
Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients
More informationStorage and File System
COS 318: Operating Systems Storage and File System Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics Storage hierarchy File
More informationAuthentication. Steven M. Bellovin October 1,
Authentication Steven M. Bellovin October 1, 2016 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to do
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationProtection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger
Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify
More informationAccess Control. Steven M. Bellovin September 13,
Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationSystem Structure. Steven M. Bellovin December 14,
System Structure Steven M. Bellovin December 14, 2015 1 Designing a System We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin December 14, 2015
More informationPolicy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems
Policy vs. Mechanism CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms q Access control policy is a specification
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationStorage and File Hierarchy
COS 318: Operating Systems Storage and File Hierarchy Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics Storage hierarchy File system
More informationCOS 318: Operating Systems
COS 318: Operating Systems File Systems: Abstractions and Protection Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics What s behind
More informationCSE 380 Computer Operating Systems
CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms 1 Policy vs. Mechanism q Access control policy is a specification
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationAuthentication. Steven M. Bellovin September 16,
Authentication Steven M. Bellovin September 16, 2013 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to
More informationProtection and Security
Protection and Security Security: policy for controlling access to system Protection: mechanism implementing security policy Why: users can do bad things to system either maliciously or unintentionally
More informationGoals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack
Last Updated: Nov 7, 2017 Goals Understand UNIX pw system How it works How to attack Understand Lamport s hash and its vulnerabilities History of UNIX passwords Originally the actual passwords were stored
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationIntroduction to Security and User Authentication
Introduction to Security and User Authentication Brad Karp UCL Computer Science CS GZ03 / M030 14 th November 2016 Topics We ll Cover User login authentication (local and remote) Cryptographic primitives,
More information22-Sep CSCI 2132 Software Development Lecture 8: Shells, Processes, and Job Control. Faculty of Computer Science, Dalhousie University
Lecture 8 p.1 Faculty of Computer Science, Dalhousie University CSCI 2132 Software Development Lecture 8: Shells, Processes, and Job Control 22-Sep-2017 Location: Goldberg CS 127 Time: 14:35 15:25 Instructor:
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationCSC 474 Network Security. Authentication. Identification
Computer Science CSC 474 Network Security Topic 6. Authentication CSC 474 Dr. Peng Ning 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationRace Condition Vulnerability Lab
Concordia Institute for Information Systems Engineering - INSE 6130 1 Race Condition Vulnerability Lab Copyright c 2006-2012 Wenliang Du, Syracuse University. The development of this document is funded
More informationUser Authentication and Passwords
User Authentication and : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 Y12S2L11, Steve/Courses/2012/s2/css322/lectures/passwords.tex,
More informationQuestion No: 2 Which identifier is used to describe the application or process that submitted a log message?
Volume: 65 Questions Question No: 1 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets
More informationNigori: Storing Secrets in the Cloud. Ben Laurie
Nigori: Storing Secrets in the Cloud Ben Laurie (benl@google.com) April 23, 2013 1 Introduction Secure login is something we would clearly like, but achieving it practically for the majority users turns
More informationIntroduction to Computer Security
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication. Identification. AIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationPasswords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014
Passwords CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Unix Passwords In Unix, users are identified by user names Authenticated by passwords Therefore to login as
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationOutline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components
UNIX security Ulf Larson (modified by Erland Jonsson/Magnus Almgren) Computer security group Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Outline UNIX security ideas
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationChapter 8: Security under Linux
Chapter 8: Security under Linux 8.1 File and Password security Linux security may be divided into two major parts: a) Password security b) File security 8.1.1 Password security To connect to a Linux system
More informationProcesses and authentication
Processes and authentication UNIX process hierarchy ssh b146-* pstree -p less -S pstree -pu crandall lsof -p31009 nc -l 20202 & lsof -p31626 kill -9 31626 Process 1 Process 2 Process 3 System calls Kernel
More informationData Security and Privacy. Unix Discretionary Access Control
Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationChapter 5: User Management. Chapter 5 User Management
Chapter 5: User Management Chapter 5 User Management Last revised: 20/6/2004 Chapter 5 Outline In this chapter we will learn Where user and group account information is stored How to manage user accounts
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationUnix, History
Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History
More informationRethinking Authentication. Steven M. Bellovin
Rethinking Authentication Steven M. https://www.cs.columbia.edu/~smb Why? I don t think we understand the real security issues with authentication Our defenses are ad hoc I regard this as a step towards
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationAccess Control. Steven M. Bellovin September 2,
Access Control Steven M. Bellovin September 2, 2014 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware
More informationProgramming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)
Programming Project # 2 cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel) Background context Unix permissions model Prof Mitchell will cover during OS security (next week
More informationOperating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07
0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.
More informationFile Encryption. Steven M. Bellovin https://www.cs.columbia.edu/~smb
File Encryption Steven M. Bellovin https://www.cs.columbia.edu/~smb Why Encrypt Files? Theft of files Theft of media Theft of computer Cloud storage? I.e. Someone else s computer 1 Issues with File Encryption
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More informationProtection and Security. Sarah Diesburg Operating Systems CS 3430
Protection and Security Sarah Diesburg Operating Systems CS 3430 Definitions Security: policy of authorizing accesses Prevents intentional misuses of a system Protection: the actual mechanisms implemented
More informationUser Accounts. The Passwd, Group, and Shadow Files
User Accounts The Passwd, Group, and Shadow Files We'll start with the passwd (pronounced "password") file, located at /etc/passwd. This file holds information about all of the user accounts on the system.
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationAuthentication Objectives People Authentication I
Authentication Objectives People Authentication I Dr. Shlomo Kipnis December 15, 2003 User identification (name, id, etc.) User validation (proof of identity) Resource identification (name, address, etc.)
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationSE420 Software Quality Assurance
SE420 Software Quality Assurance Encryption Backgrounder September 5, 2014 Sam Siewert Encryption - Substitution Re-map Alphabet, 1-to-1 and On-to (function) A B C D E F G H I J K L M N O P Q R S T U V
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 1 Authentication and Authorization Fundamental mechanisms to enforce security on a system Authentication:
More informationRemote Administration
Windows Remote Desktop, on page 1 pcanywhere, on page VNC, on page 6 Windows Remote Desktop Remote Desktop permits users to remotely execute applications on Windows Server 2012 R2 from a range of devices
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More information10 userdel: deleting a user account 9. 1 Context Tune the user environment and system environment variables [3]
1. Context 1.111.1 2 8 Deleting a group 8 1.111.1 Manage users and group accounts and related system files Weight 4 Outline Contents Linux Professional Institute Certification 102 Nick Urbanik
More informationOperating Systems Security Access Control
Authorization and access control Operating Systems Security Access Control Ozalp Babaoglu From authentication to authorization Once subjects have been authenticated, the next problem to confront is authorization
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationAuthenticating People and Machines over Insecure Networks
Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov authenticating people objective Alice The Internet Bob Password= sesame Password= sesame! authenticate
More informationIntroduction. Read on and learn some facts about backup and recovery that could protect your small business.
Introduction No business can afford to lose vital company information. Small-business owners in particular must take steps to ensure that client and vendor files, company financial data and employee records
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationIntroduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 09 Now, we discuss about the insecurity of passwords.
More informationCST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management
Student Name: Lab Section: Linux User and Group Management 1 Due Date - Upload to Blackboard by 8:30am Monday April 2, 2012 Submit the completed lab to Blackboard following the Rules for submitting Online
More informationNetwork Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System
Network Working Group T. Wu Request for Comments: 2945 Stanford University Category: Standards Track September 2000 Status of this Memo The SRP Authentication and Key Exchange System This document specifies
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 13 Announcements Talk today: 3:00 Wu & Chen Auditorium Boon Thau Loo "Declarative Networking: Extensible Networks with Declarative Queries"
More informationTPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies
Chapter 8 TPM Entities A TPM 2.0 entity is an item in the TPM that can be directly referenced with a handle. The term encompasses more than objects because the specification uses the word object to identify
More informationAdvanced Systems Security: Multics
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationThe kernel is the low-level software that manages hardware, multitasks programs, etc.
November 2011 1 Why Use Linux? Save Money Initial purchase and maintenance Resume Linux is used by MANY organizations More choices Tons of Linux operating systems November 2011 2 What is Linux? 1. Contains
More informationCS/CIS 249 SP18 - Intro to Information Security
Lab assignment CS/CIS 249 SP18 - Intro to Information Security Lab #2 - UNIX/Linux Access Controls, version 1.2 A typed document is required for this assignment. You must type the questions and your responses
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More information